Elastic Path User Details Multiple HTML Injection Vulnerabilities

Bugtraq ID:	25706
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Sep 18 2007 12:00AM
Updated:	Sep 18 2007 10:00PM
Credit:	R Dominguez Vega is credited with the discovery of these vulnerabilities.
Vulnerable:	Elastic Path Software Elastic Path 5.0
Not Vulnerable:	Elastic Path Elastic Path Software 5.1.1

Elastic Path User Details Multiple HTML Injection Vulnerabilities

Elastic Path is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input data.

Exploiting these issues may allow an attacker to execute HTML and script code in the context of the affected site, to steal cookie-based authentication credentials, or to control how the site is rendered to the user; other attacks are also possible.

These issues affect Elastic Path 5.0; prior versions may also be affected.

Elastic Path User Details Multiple HTML Injection Vulnerabilities

Attackers can use a browser to exploit these issues.

Elastic Path User Details Multiple HTML Injection Vulnerabilities

Solution:
The vendor released an update to address these issues. Please contact the vendor for information on how to obtain and apply this update.

Elastic Path User Details Multiple HTML Injection Vulnerabilities

References:

• Elastic Path �?? Administrative Session Hijacking through Embedded XSS (MWR InfoSecurity)
  
• Elastic Path Homepage (Elastic Path Software)